Fun with tcpdump

Have a look at what your home devices are chatting about, and what they're giving away about you when phoning home. Very useful if you want to keep some privacy.

This is something I do regularly at home, but I keep forgetting the proper command line options. :)

A little bit of motivation.

What technically happens here, is that you can directly read the traffic on your home's Wifi network. This way, you can check that the internet-connected devices in your home aren't phoning home and giving away information about you which you are not aware of. Because this kind of reporting normally happens "behind the scenes" and is invisible to the normal user, it has unfortunately become more common than it should have.

You can also find out which of your connections are encrypted and which aren't. This way, you can make sure that you're not sending your emails and passwords unencrypted through the internet, for intelligence services to collect.

In other words, doing this on your home network is more of a defense strategy than an attack.

Reading your network traffic

First, we need to set it up:

  1. Hook a Linux system between your device and the internet. A good solution is to run OpenWRT on your Wifi router, but you could also equip a Raspberry Pi with an additional Ethernet card and configure it to run as a bridge.
  2. Install tcpdump on that Linux system and make sure you have root access over ssh.
  3. Install Wireshark on a regular computer.

Finally, we are ready to intercept. We run tcpdump remotely, stream the captured packets over to your desktop machine, and analyze them there conveniently with Wireshark:

ssh root@192.168.0.1 \
  "tcpdump -i br-lan -U -s0 -w - host 192.168.0.123" \
  | wireshark -k -i -

The section "host 192.168.0.123" selects which packets to capture. If your ssh connection is over the same interface that you're intercepting, you need to be careful not to include packets belonging to your ssh connection. In this example, I'm only capturing packets where the local IP address 192.168.0.123 is part of the communication.

What the commands mean: